Re: trusted domains patch n+3
Rafal Szczesniak wrote: This is a patch consisting of various fixes. Short list includes: - using user_info.client_domain structure (from user supplied auth info) instead of user_info.domain This just is not correct. Current behaviour is by design - new (and soon completely rewritten when generic cache comes up) make_user_info_map function I'll just wait for the final rewrite - return type NTSTATUS instead of BOOL for make_user_info_map make_user_info and make_user_info_for_reply_encI (the rest of these routines should do the same, imho) Thankyou, applied - occasional segfault fix in local groups fetching code when no uid to unix name can be found by winbind Nice one. - additional degug lines for soon-to-be-changed namecache I'll apply this with the rest of your cache changes - samr_r_enum_dom_users parsing fix I would like an explaination on this one - a bit more aesthetics for 'net rpc trustdom list' good Some changes are quite radical, so I expect criticism, especially from some of the Team members ;-) Who me? ;-) Part of this patch is a draft rather than completed proposition and as such, much of the code may yet be changed. The 'easy' bits have been commited - the rest need a bit of work, or at least a bit more explaination. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: trusted domains patch n+3
On Fri, Sep 06, 2002 at 11:39:52PM +1000, Andrew Bartlett wrote: Rafal Szczesniak wrote: This is a patch consisting of various fixes. Short list includes: - using user_info.client_domain structure (from user supplied auth info) instead of user_info.domain This just is not correct. Current behaviour is by design Then I need to talk to you about this on purpose of various parts of auth structures. It's gonna be interesting discussion... - new (and soon completely rewritten when generic cache comes up) make_user_info_map function I'll just wait for the final rewrite Sure. I assume it will be done right after implementing trusted domains cache on top of gencache. - return type NTSTATUS instead of BOOL for make_user_info_map make_user_info and make_user_info_for_reply_encI (the rest of these routines should do the same, imho) Thankyou, applied And stay tuned for the rest of make_user_* functions... - occasional segfault fix in local groups fetching code when no uid to unix name can be found by winbind Nice one. Oh yes, catching this was also nice :-) - additional degug lines for soon-to-be-changed namecache I'll apply this with the rest of your cache changes ok. - samr_r_enum_dom_users parsing fix I would like an explaination on this one no problem. I just gather some packet traces. - a bit more aesthetics for 'net rpc trustdom list' good Some changes are quite radical, so I expect criticism, especially from some of the Team members ;-) Who me? ;-) Of course not... ;-) Part of this patch is a draft rather than completed proposition and as such, much of the code may yet be changed. The 'easy' bits have been commited - the rest need a bit of work, or at least a bit more explaination. Ok. At least it's some move forward. -- cheers, ++ |Rafal 'Mimir' Szczesniak [EMAIL PROTECTED] | |*BSD, GNU/Linux and Samba / |__/
Re: trusted domains patch n+3
Rafal Szczesniak wrote: On Fri, Sep 06, 2002 at 11:39:52PM +1000, Andrew Bartlett wrote: Rafal Szczesniak wrote: This is a patch consisting of various fixes. Short list includes: - using user_info.client_domain structure (from user supplied auth info) instead of user_info.domain This just is not correct. Current behaviour is by design Then I need to talk to you about this on purpose of various parts of auth structures. It's gonna be interesting discussion... The basic idea is like the two usernames in the struct: One is the username they wanted, the other is the username they got (after the username map file). Similarly for domains - if the domain they wanted is trusted, and we are not allowing trusted domains, or if the domain doesn't exist, then we replace it with our own domain. We may still need their original username/domain for authenticaion (NTLMv2 comes to mind in particular), hence why we keep both. - new (and soon completely rewritten when generic cache comes up) make_user_info_map function I'll just wait for the final rewrite Sure. I assume it will be done right after implementing trusted domains cache on top of gencache. Sounds good to me. - return type NTSTATUS instead of BOOL for make_user_info_map make_user_info and make_user_info_for_reply_encI (the rest of these routines should do the same, imho) Thankyou, applied And stay tuned for the rest of make_user_* functions... I like it when sombody else cleans up the mess I leave behind ;-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: trusted domains patch n+3
On Fri, Sep 06, 2002 at 11:56:46PM +1000, Andrew Bartlett wrote: Rafal Szczesniak wrote: On Fri, Sep 06, 2002 at 11:39:52PM +1000, Andrew Bartlett wrote: Rafal Szczesniak wrote: This is a patch consisting of various fixes. Short list includes: - using user_info.client_domain structure (from user supplied auth info) instead of user_info.domain This just is not correct. Current behaviour is by design Then I need to talk to you about this on purpose of various parts of auth structures. It's gonna be interesting discussion... The basic idea is like the two usernames in the struct: One is the username they wanted, the other is the username they got (after the username map file). Similarly for domains - if the domain they wanted is trusted, and we are not allowing trusted domains, or if the domain doesn't exist, then we replace it with our own domain. We may still need their original username/domain for authenticaion (NTLMv2 comes to mind in particular), hence why we keep both. Ok. This clears some of my ideas about this. Indeed, this code should look different. - return type NTSTATUS instead of BOOL for make_user_info_map make_user_info and make_user_info_for_reply_encI (the rest of these routines should do the same, imho) Thankyou, applied And stay tuned for the rest of make_user_* functions... I like it when sombody else cleans up the mess I leave behind ;-) But don't get use to it ;-) -- cheers, ++ |Rafal 'Mimir' Szczesniak [EMAIL PROTECTED] | |*BSD, GNU/Linux and Samba / |__/
Re: trusted domains patch n+3
On Fri, 2002-09-06 at 15:56, Andrew Bartlett wrote: One is the username they wanted, the other is the username they got (after the username map file). Similarly for domains - if the domain they wanted is trusted, and we are not allowing trusted domains, or if the domain doesn't exist, then we replace it with our own domain. We may still need their original username/domain for authenticaion (NTLMv2 comes to mind in particular), hence why we keep both. What are you trying to do there? Why should we replace a domain name with another??? Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: trusted domains patch n+3
On Fri, Sep 06, 2002 at 04:42:53PM +0200, Simo Sorce wrote: On Fri, 2002-09-06 at 15:56, Andrew Bartlett wrote: One is the username they wanted, the other is the username they got (after the username map file). Similarly for domains - if the domain they wanted is trusted, and we are not allowing trusted domains, or if the domain doesn't exist, then we replace it with our own domain. We may still need their original username/domain for authenticaion (NTLMv2 comes to mind in particular), hence why we keep both. What are you trying to do there? Why should we replace a domain name with another??? For instance, when lp_allow_trusted_domains() is set to false, then user's domain name should is replaced with our domain name. Authentication modules will then look for username in our domain's SAM instead querying trusted domains. I hope I understood your question well... -- cheers, ++ |Rafal 'Mimir' Szczesniak [EMAIL PROTECTED] | |*BSD, GNU/Linux and Samba / |__/
Re: trusted domains patch n+3
On Fri, Sep 06, 2002 at 05:01:25PM +0200, Simo Sorce wrote: On Fri, 2002-09-06 at 16:37, Rafal Szczesniak wrote: On Fri, Sep 06, 2002 at 04:42:53PM +0200, Simo Sorce wrote: What are you trying to do there? Why should we replace a domain name with another??? For instance, when lp_allow_trusted_domains() is set to false, then user's domain name should is replaced with our domain name. Authentication modules will then look for username in our domain's SAM instead querying trusted domains. Can you explain me why we should not simply fail? In case of ? -- cheers, ++ |Rafal 'Mimir' Szczesniak [EMAIL PROTECTED] | |*BSD, GNU/Linux and Samba / |__/
Re: trusted domains patch n+3
Ok, that was clear, what I want to ask, is: why should we try to logon a user that provides bad information? Shouldn't we simply deny it with an error? How do NT behaves in such situations? Simo. On Sat, 2002-09-07 at 00:42, Andrew Bartlett wrote: Rafal Szczesniak wrote: On Fri, Sep 06, 2002 at 05:01:25PM +0200, Simo Sorce wrote: On Fri, 2002-09-06 at 16:37, Rafal Szczesniak wrote: On Fri, Sep 06, 2002 at 04:42:53PM +0200, Simo Sorce wrote: What are you trying to do there? Why should we replace a domain name with another??? For instance, when lp_allow_trusted_domains() is set to false, then user's domain name should is replaced with our domain name. Authentication modules will then look for username in our domain's SAM instead querying trusted domains. Can you explain me why we should not simply fail? In case of ? OK, time for an explaination: We can receive all sorts of things in the 'domain' feild from a client. Mostly it's their current domain. If we are a standalone server, or don't trust the domain they supplied, then we replace it with our own for authenticaion. Similarly if we are not using truste domains at all - then every login gets changed to our local domain. However, some parts of the code (NTLMv2 in particular) need the original domain, so we keep that around. Does that make a bit more sense? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
trusted domains patch n+3
This is a patch consisting of various fixes. Short list includes: - using user_info.client_domain structure (from user supplied auth info) instead of user_info.domain - new (and soon completely rewritten when generic cache comes up) make_user_info_map function - return type NTSTATUS instead of BOOL for make_user_info_map make_user_info and make_user_info_for_reply_encI (the rest of these routines should do the same, imho) - occasional segfault fix in local groups fetching code when no uid to unix name can be found by winbind - additional degug lines for soon-to-be-changed namecache - samr_r_enum_dom_users parsing fix - a bit more aesthetics for 'net rpc trustdom list' Some changes are quite radical, so I expect criticism, especially from some of the Team members ;-) Part of this patch is a draft rather than completed proposition and as such, much of the code may yet be changed. -- cheers, ++ |Rafal 'Mimir' Szczesniak [EMAIL PROTECTED] | |*BSD, GNU/Linux and Samba / |__/ Index: Makefile.in === RCS file: /cvsroot/samba/source/Makefile.in,v retrieving revision 1.527 diff -u -r1.527 Makefile.in --- Makefile.in 30 Aug 2002 12:46:54 - 1.527 +++ Makefile.in 2 Sep 2002 10:37:24 - @@ -242,7 +242,8 @@ AUTH_OBJ = auth/auth.o auth/auth_sam.o auth/auth_server.o auth/auth_domain.o \ auth/auth_rhosts.o auth/auth_unix.o auth/auth_util.o auth/auth_winbind.o \ - auth/auth_builtin.o auth/auth_compat.o $(PLAINTEXT_AUTH_OBJ) $(UNIGRP_OBJ) + auth/auth_builtin.o auth/auth_compat.o \ + $(PLAINTEXT_AUTH_OBJ) $(UNIGRP_OBJ) MANGLE_OBJ = smbd/mangle.o smbd/mangle_hash.o smbd/mangle_map.o smbd/mangle_hash2.o Index: auth/auth.c === RCS file: /cvsroot/samba/source/auth/auth.c,v retrieving revision 1.41 diff -u -r1.41 auth.c --- auth/auth.c 31 Jul 2002 12:17:32 - 1.41 +++ auth/auth.c 2 Sep 2002 10:37:26 - @@ -211,7 +211,7 @@ if (!check_domain_match(user_info-smb_name.str, user_info-domain.str)) { return NT_STATUS_LOGON_FAILURE; } - + for (auth_method = auth_context-auth_method_list;auth_method; auth_method = auth_method-next) { mem_ctx = talloc_init_named(%s authentication for user %s\\%s, auth_method-name, Index: auth/auth_domain.c === RCS file: /cvsroot/samba/source/auth/auth_domain.c,v retrieving revision 1.57 diff -u -r1.57 auth_domain.c --- auth/auth_domain.c 30 Aug 2002 10:46:58 - 1.57 +++ auth/auth_domain.c 2 Sep 2002 10:37:27 - @@ -164,13 +164,13 @@ * With NT4.x DC's *all* authentication must be serialized to avoid * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. */ - + if (!grab_server_mutex(server)) return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ result = cli_full_connection(cli, global_myname, remote_machine, -dest_ip, 0, IPC$, IPC, , , ,0); +dest_ip, 0, IPC$, IPC, , , ,0); if (!NT_STATUS_IS_OK(result)) { release_server_mutex(); @@ -251,7 +251,7 @@ } /*** - We have been asked to dynamcially determine the IP addresses of + We have been asked to dynamically determine the IP addresses of the PDC and BDC's for DOMAIN, and query them in turn. / static NTSTATUS find_connect_pdc(struct cli_state **cli, @@ -388,7 +388,7 @@ */ nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, - user_info-smb_name.str, user_info-domain.str, + user_info-smb_name.str, +user_info-client_domain.str, user_info-wksta_name.str, chal, user_info-lm_resp, user_info-nt_resp, info3); @@ -552,7 +552,7 @@ * If it is, we should use our own local password file. */ - if(strequal(lp_workgroup(), (user_info-domain.str))) { + if(strequal(lp_workgroup(), (user_info-client_domain.str))) { DEBUG(3,(check_trustdomain_security: Requested domain was for this domain.\n)); return NT_STATUS_LOGON_FAILURE; } @@ -562,14 +562,14 @@ * No need to become_root() as secrets_init() is done at startup. */ - if